Huntress and FBI: Huntress CEO says threat hunter used 'poor judgment' in alerting ransomware crim about law enforcement probe

Huntress and FBI: Huntress CEO says threat hunter used 'poor judgment' in alerting ransomware crim about law enforcement probe

Huntress Investigates Alleged Insider Threat After Employee Shared FBI Intel with Ransomware Operator

Huntress CEO Kyle Hanslovan has acknowledged "questionable" communications between a current threat hunter at the cybersecurity firm and a cybercriminal, describing the exchanges as a lapse in judgment. The incident surfaced after former Huntress analyst Ben Folland accused the employee of acting as an insider threat by allegedly sharing law enforcement details with Devman, a ransomware operator linked to Russia.

According to Hanslovan’s blog post, the employee disclosed to Devman that U.S. law enforcement had contacted them about the threat actor. While Hanslovan stated the disclosure was not illegal, he called it "poor judgment" and denied that it constituted insider activity. Huntress has since implemented stricter policies for researcher interactions with threat actors and taken administrative actions, though no evidence of illegal conduct or further disclosures was found.

Folland, however, disputes this characterization. In a LinkedIn post, he claimed the employee forwarded FBI communications including agent names to Devman, warning the ransomware operator of an active investigation. He also alleged the employee refused to cooperate with law enforcement, a claim the FBI reportedly confirmed to Folland. Folland argued the actions went beyond poor judgment, equating them to an insider tipping off a criminal under investigation.

Devman, known for using modified DragonForce ransomware built on leaked Conti source code, has been publicly targeting Folland and his family. The FBI has not responded to requests for comment, and Huntress has declined further statements.

The dispute highlights tensions over ethical boundaries in threat intelligence, with Huntress maintaining the employee’s actions were not malicious, while Folland insists they meet the definition of an insider threat. The investigation remains ongoing.

Source: https://www.theregister.com/security/2026/06/30/huntress-ceo-says-threat-hunter-used-poor-judgment-in-alerting-ransomware-crim-about-law-enforcement-probe/5264532

Federal Bureau of Investigation (FBI) cybersecurity rating report: https://www.rankiteo.com/company/fbi

Huntress cybersecurity rating report: https://www.rankiteo.com/company/huntress-labs

"id": "FBIHUN1782843828",
"linkid": "fbi, huntress-labs",
"type": "Breach",
"date": "6/2026",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"
{'affected_entities': [{'industry': 'Cybersecurity',
                        'name': 'Huntress',
                        'type': 'Cybersecurity Firm'}],
 'attack_vector': 'Insider Communication',
 'data_breach': {'personally_identifiable_information': 'Agent names',
                 'sensitivity_of_data': 'High (FBI investigation details)',
                 'type_of_data_compromised': 'Law enforcement communications, '
                                             'agent names'},
 'description': 'Huntress CEO Kyle Hanslovan acknowledged questionable '
                'communications between a current threat hunter at the '
                'cybersecurity firm and a cybercriminal, Devman, a ransomware '
                'operator linked to Russia. The employee allegedly shared law '
                'enforcement details with Devman, including FBI communications '
                'and agent names, warning the ransomware operator of an active '
                'investigation. Huntress denied the actions constituted '
                'insider activity but implemented stricter policies for '
                'researcher interactions with threat actors.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'insider threat allegations',
            'data_compromised': 'FBI communications, agent names',
            'operational_impact': 'Stricter internal policies implemented'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Need for stricter oversight of employee interactions with '
                    'threat actors; ethical boundaries in threat intelligence '
                    'require clearer guidelines.',
 'motivation': 'Tipping off a criminal under investigation',
 'post_incident_analysis': {'corrective_actions': 'Stricter policies for '
                                                  'researcher-threat actor '
                                                  'interactions; '
                                                  'administrative actions '
                                                  'against the employee',
                            'root_causes': 'Lapse in judgment by employee; '
                                           'potential ethical misalignment in '
                                           'threat intelligence practices'},
 'ransomware': {'ransomware_strain': 'DragonForce (modified, built on leaked '
                                     'Conti source code)'},
 'recommendations': 'Implement stricter policies for researcher-threat actor '
                    'communications; enhance insider threat detection '
                    'mechanisms; ensure cooperation with law enforcement '
                    'investigations.',
 'references': [{'source': "Huntress CEO Kyle Hanslovan's blog post"},
                {'source': "Ben Folland's LinkedIn post"}],
 'response': {'communication_strategy': 'CEO blog post and public statements',
              'containment_measures': 'Stricter policies for researcher '
                                      'interactions with threat actors',
              'law_enforcement_notified': 'FBI contacted the employee',
              'remediation_measures': 'Administrative actions taken against '
                                      'the employee'},
 'threat_actor': 'Devman (ransomware operator linked to Russia)',
 'title': 'Huntress Investigates Alleged Insider Threat After Employee Shared '
          'FBI Intel with Ransomware Operator',
 'type': 'Insider Threat'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.